mirror of
https://github.com/qpdf/qpdf.git
synced 2024-12-22 19:08:59 +00:00
Validate that offsets in object streams are strictly increasing
This commit is contained in:
parent
1b6a504d42
commit
192525226f
@ -2064,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
|
|||||||
(m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
|
(m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
|
||||||
bp.get()));
|
bp.get()));
|
||||||
|
|
||||||
|
qpdf_offset_t last_offset = -1;
|
||||||
for (int i = 0; i < n; ++i) {
|
for (int i = 0; i < n; ++i) {
|
||||||
QPDFTokenizer::Token tnum = readToken(*input);
|
QPDFTokenizer::Token tnum = readToken(*input);
|
||||||
QPDFTokenizer::Token toffset = readToken(*input);
|
QPDFTokenizer::Token toffset = readToken(*input);
|
||||||
@ -2089,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
|
|||||||
"object stream claims to contain itself"));
|
"object stream claims to contain itself"));
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
if (offset <= last_offset) {
|
||||||
|
throw damagedPDF(
|
||||||
|
*input,
|
||||||
|
m->last_object_description,
|
||||||
|
input->getLastOffset(),
|
||||||
|
"expected offsets in object stream to be increasing");
|
||||||
|
}
|
||||||
|
last_offset = offset;
|
||||||
|
|
||||||
offsets[num] = toI(offset + first);
|
offsets[num] = toI(offset + first);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user